Lucene search
K
GithubRecent

33227 matches found

Github Security Blog
Github Security Blog
added 2026/05/22 12:31 a.m.4 views

Concrete CMS is vulnerable to IDOR

Concrete CMS 9.5.0 and below is vulnerable to IDOR. The /ccm/frontend/conversations/messagedetail endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and th...

6.3CVSS5.9AI score0.00201EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/22 12:31 a.m.5 views

Concrete CMS is vulnerable to IDOR combined with a missing authentication gate

Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/fID accepts an integer file ID in the URL and returns internal site structure data page IDs, versions, URL paths to anyone who sends a GET request...

6.3CVSS5.8AI score0.00202EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/22 12:31 a.m.5 views

Concrete CMS is vulnerable to unauthenticated page metadata disclosure

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information...

6.3CVSS5.9AI score0.00195EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/22 12:31 a.m.19 views

Concrete CMS's RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation

In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses...

6.4CVSS5.8AI score0.00152EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/22 12:31 a.m.7 views

Concrete CMS is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block

Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference IDOR in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team thanks Tristan Madani for reporting this issue...

6.3CVSS5.8AI score0.00204EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/22 12:31 a.m.7 views

Concrete CMS has an unauthorized file access issue

In Concrete CMS 9.5.0 and below, the submitpassword method in concrete/controllers/singlepage/downloadfile.php allows unauthorized file access since downloading permission-restricted files bypasses the viewfile permission check. Files without passwords can be downloaded and any user who knows a...

6.3CVSS5.8AI score0.00224EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/22 12:31 a.m.4 views

Concrete CMS has a session-hardening bypass and allows password change without reauthorization

Concrete CMS 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current password ...

5.3CVSS5.9AI score0.00182EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/22 12:31 a.m.5 views

Concrete CMS is vulnerable to unauthorized file deletion

Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protecti...

4.3CVSS5.8AI score0.00116EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/22 12:31 a.m.6 views

Concrete CMS is vulnerable to IDOR in AddMessage/UpdateMessage

Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments parameter which can lead to file permission bypass. The AddMessage and UpdateMessage conversation controllers accept user-supplied file attachment IDs and load files directly via $em-findFile::class,...

4.3CVSS5.7AI score0.00288EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 10:39 p.m.18 views

Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret

Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret | Field | Value | | ---------------- | ----- | | Repository | Jovancoding/Network-AI | | Affected version | v5.4.4 commit c12686e181f231cf8d7bcf836a96d78f0f0877ac | Summary The MCP SSE server defaults to an empty secret...

6AI score0.00023EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:54 p.m.16 views

Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host

Summary Boxlite is a sandbox service that allows users to create lightweight virtual machines Boxes and run OCI containers within them. Boxlite allows users to specify the OCI image used by containers in the sandbox. However, when processing tar entries in OCI images, Boxlite does not account for...

9.6CVSS6.6AI score0.00482EPSS
Exploits0References5Affected Software4
Github Security Blog
Github Security Blog
added 2026/05/21 9:52 p.m.18 views

BoxLite: Permission Bypass Allows Modification of Read-Only Files

Summary Boxlite is a sandbox service that allows users to create lightweight virtual machines Boxes and launch OCI containers within them to run untrusted code. One of the core security features claimed by Boxlite is the ability to mount host directories in read-only mode readonly=True into the V...

10CVSS6.2AI score0.00289EPSS
Exploits0References6Affected Software4
Github Security Blog
Github Security Blog
added 2026/05/21 9:49 p.m.11 views

ImageMagick: Information Disclosure in PasskeyEncipherImage via AES-CTR nonce reuse

The PasskeyEncipherImage method is vulnerable to information disclosure via AES-CTR nonce reuse. ImageMagick has update the documentation on its website to make it more clear that this is happening: https://imagemagick.org/cipher/...

5.8AI score
Exploits0References3Affected Software17
Github Security Blog
Github Security Blog
added 2026/05/21 9:43 p.m.11 views

ImageMagick: Division by Zero in binomial kernel

An user supplied large binomial kernel could result in an overflow that would lead to a division by zero...

5.9AI score
Exploits0References2Affected Software17
Github Security Blog
Github Security Blog
added 2026/05/21 9:42 p.m.15 views

ImageMagick: Heap Buffer Over-Write in json and yaml encoder of a single byte due to incorrect fix

An incorrect fix that was applied in GHSA-5592-p365-24xh could result in a heap buffer over-write of a single byte...

5.9AI score
Exploits0References3Affected Software17
Github Security Blog
Github Security Blog
added 2026/05/21 9:41 p.m.18 views

@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty

Summary The copyProps function in lib/src/object/copy.ts uses for...in to iterate over source object properties without an Object.hasOwnProperty check, and does not filter dangerous keys proto, constructor, prototype. This allows an attacker to pollute the prototype chain of all objects in the...

5.9AI score0.0006EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:40 p.m.40 views

containerd user ID handling bypass allows runAsNonRoot evasion

Impact A bug was found in containerd where containers launched with a numeric User directive that cannot be parsed as a 32-bit integer are incorrectly treated as a username. If a crafted image provides an /etc/passwd file mapping this large numeric string to root, the container ultimately runs as...

7.8CVSS5.7AI score0.00275EPSS
Exploits2References2Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/21 9:38 p.m.14 views

js-libp2p: Memory DoS via subscription flood of unique topics

Summary Three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. 1. defaultDecodeRpcLimits.maxSubscriptions = Infinity packages/gossipsub/src/message/decodeRpc.ts:11: no decode-level cap on...

7.5CVSS5.8AI score0.00278EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:35 p.m.15 views

Pydantic AI: SSRF cloud-metadata blocklist bypass via IPv4-mapped IPv6 (Incomplete fix of CVE-2026-25580)

Summary When an application using Pydantic AI opts a URL into forcedownload='allow-local' which disables the default block on private/internal IPs, the cloud-metadata blocklist could be bypassed by encoding the metadata IP in an IPv6 transition form IPv4-mapped IPv6, 6to4, or NAT64. Dual-stack an...

8.6CVSS5.8AI score0.00579EPSS
Exploits1References3Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/21 9:32 p.m.13 views

Rust OneNote File Parser: Path traversal in `Parser::parse_notebook` allows reading files outside the notebook directory

Impact A maliciously crafted .onetoc2 table-of-contents file can cause Parser::parsenotebook to open arbitrary files on the host filesystem outside the notebook's directory. The parser reads entry names listed inside the .onetoc2 and joins them against the notebook's base directory without...

6AI score0.00011EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:31 p.m.15 views

SQLAdmin: Authorization Bypass on `ajax_lookup`

Impact The ajaxlookup endpoint in application.py bypasses the isaccessible access control check that all other endpoints enforce. If a developer restricts model access by overriding isaccessible, an authenticated user can still query that model's data through the ajaxlookup endpoint — silently...

4.3CVSS5.8AI score0.00279EPSS
Exploits1References6Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:31 p.m.17 views

Twig: Arbitrary PHP code execution via `_self.(<string>)` macro-reference compilation

Description The obj.expr dynamic-attribute syntax added in 3.15.0 as the replacement for the deprecated attribute function lets the attribute be an arbitrary expression. When the receiver is self or any % import % alias and the parenthesised expression is a string literal, DotExpressionParser...

6AI score0.00056EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.13 views

Twig: Sandbox property and method bypass via object-destructuring assignment

Description The object-destructuring assignment syntax introduced in Twig 3.24.0 generates a call to CoreExtension::getAttribute with the $sandboxed argument hardcoded to false, regardless of whether a SandboxExtension is active. This permanently disables the sandbox's property and method policy...

5.8AI score0.00082EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.7 views

Concrete CMS does not validate a CSRF token before processing requests to `/dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>`

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepareremoteupgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade method to...

8.8CVSS6.5AI score0.00171EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.7 views

Concrete CMS has Stored XSS through its height parameter

Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor's browser, potentially leading to session hijacking, credential...

7.3CVSS5.9AI score0.00122EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.6 views

Concrete CMS is vulnerable to missing authorization in the bulk_user_assignment.php

Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulkuserassignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove...

8.8CVSS5.8AI score0.00301EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.4 views

Concrete CMS is vulnerable to authorization bypass in the Calendar Event Frontend Dialog

Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data...

6.3CVSS5.8AI score0.00211EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.7 views

Concrete CMS contains a CSRF vulnerability

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the installpackage method of concrete/controllers/singlepage/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under...

8.8CVSS6.1AI score0.00171EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.6 views

Concrete CMS is Vulnerable to Cross-Site Request Forgery

Concrete CMS 9.5.0 and below emits a CSRF token in the localavailableupdate.php view $token-output'doupdate' but the corresponding doupdate method in concrete/controllers/singlepage/dashboard/system/update/update.php never calls $this-token-validate'doupdate'. The form is rendered as a POST form,...

8.8CVSS5.8AI score0.00132EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.7 views

Concrete does not validate a CSRF token before processing requests to `/dashboard/extend/update/do_update/<pkgHandle>`

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/doupdate/. The doupdate method in concrete/controllers/singlepage/dashboard/extend/update.php checks only canInstallPackages before executing upgradeCoreData and upgrade on the named...

8.8CVSS5.7AI score0.00122EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.6 views

Concrete CMS is vulnerable to authorization bypass in the Calendar Block

Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since actiongetevents does not check canView on the calendar which results in restricted event details being disclosed...

6.3CVSS5.9AI score0.00211EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.6 views

Concrete CMS Vulnerable to Deserialization of Untrusted Data

Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism fromCIF === true, which normally...

8.9CVSS6AI score0.0047EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.9 views

Concrete CMS Vulnerable to Relative Path Traversal

Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable file...

9.4CVSS6.2AI score0.00738EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.6 views

Concrete CMS is vulnerable to Stored XSS via OAuth integration name

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name admin-controlled through Concrete's t translation helper as a sprintf-style format. The ... wrap is built by PHP string interpolation before t runs, so th...

7.3CVSS5.8AI score0.00181EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.4 views

Concrete CMS is Vulnerable to Cross-Site Request Forgery

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download method in concrete/controllers/singlepage/dashboard/extend/install.php checks only the canInstallPackages permission before fetching a remote marketplace...

7.5CVSS5.9AI score0.00118EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.5 views

Concrete CMS is vulnerable to unauthenticated file usage disclosure

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/fID with any file ID and receive a list of every page that references that file,...

6.9CVSS5.8AI score0.0025EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.7 views

LiteLLM allows a user to modify their own user_role via the /user/update endpoint

LiteLLM prior to 1.83.10 allows a user to modify their own userrole via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxyadmin...

8.8CVSS6.1AI score0.00653EPSS
Exploits2References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:30 p.m.8 views

LiteLLM allows an authenticated internal_user to create API keys with access to routes that their role does not permit

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

8.8CVSS6.1AI score0.00739EPSS
Exploits3References10Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:28 p.m.16 views

Twig: `{% sandbox %}{% include %}` skips checkSecurity() on cached templates (incomplete fix for CVE-2024-45411)

Description The fix for CVE-2024-45411 / GHSA-6j75-5wfj-gh66 added an explicit $loaded-unwrap-checkSecurity call in CoreExtension::include so that a template already cached in Environment::$loadedTemplates is re-checked when included with sandboxed = true. The deprecated but still functional %...

8.6CVSS5.8AI score0.00826EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:27 p.m.17 views

Twig: HTML-output filters in twig/* extras incorrectly declared `is_safe => ['all']`

Description Several filters in the twig/ extras packages are registered with issafe = 'all', which tells Twig's autoescaper to treat their output as safe in every context html, js, css, url, .... The output of these filters is plain text or HTML markup, neither of which is safe in every escaping...

5.8AI score0.0006EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/21 9:25 p.m.18 views

Twig: Sandbox property allowlist bypass via the `column` filter (array_column on objects)

Description The column filter passes its input straight to PHP's native arraycolumn. When the array elements are objects, arraycolumn reads $obj-$name and $obj-$index directly, including invoking get/isset. Because this property read happens entirely in PHP native code and never reaches...

5.9AI score0.00047EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:25 p.m.19 views

Twig: `template_from_string()` escapes a SourcePolicy-driven sandbox via synthesized template name

Description When the sandbox is enabled selectively via SourcePolicyInterface and not globally, a sandboxed template that is allowed to call templatefromstring and include can render an arbitrary inner template with no security policy enforcement. Environment::createTemplate compiles the inner...

6.1AI score0.00031EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:24 p.m.26 views

Twig: PHP code injection via `{% use %}` template name

Description Compiler::string escapes ", $, , NUL and TAB when generating PHP double-quoted string literals, but does not escape single quotes. In ModuleNode::compileConstructor, the template name from a % use % tag is compiled via subcompile - string and placed inside a surrounding PHP...

6.2AI score0.00357EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:23 p.m.16 views

twig/intl-extra: Unbounded formatter memoisation in keyed on template-controlled arguments

Description IntlExtension memoises every \IntlDateFormatter and \NumberFormatter it creates in instance-level arrays keyed on a hash that includes locale, pattern, attrs and other values that are ordinary named arguments of the formatdatetime / formatdate / formattime / formatnumber /...

5.8AI score0.00056EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:21 p.m.19 views

Twig: The `spaceless` filter implicitly marks its output as safe

Description The spaceless filter is registered with issafe = 'html', which means Twig's autoescaper does not escape its output in an HTML context. As a result, applying spaceless to attacker-controlled input that contains markup emits the markup unescaped even when the developer never wrote |raw...

5.7AI score0.00056EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 9:20 p.m.20 views

JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection

Summary js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property, so the for…in enumerates it and the targetkey = sourcekey write triggers the...

7.5CVSS5.8AI score0.00432EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 8:49 p.m.19 views

Russh: Unchecked CryptoVec allocation and growth handling is reachable

Title Unchecked CryptoVec allocation and growth handling was reachable from local agent inputs in current russh releases and from remote SSH traffic in historical pre-0.58.0 releases Summary CryptoVec used unchecked capacity growth, unchecked length arithmetic, and unsafe allocation/locking paths...

7.5CVSS5.9AI score0.00263EPSS
Exploits0References5Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/21 8:47 p.m.23 views

@hulumi/policies: Stack-wide evidence bypassed Cloudflare and deployment-governance guardrails

Impact: @hulumi/policies versions before 1.3.2 used stack-wide evidence shortcuts in several Cloudflare and deployment-governance validators. Unrelated compliant-looking evidence could suppress violations for different zones, hostnames, origins, or repositories in the same stack. Patched in 1.3.2...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 8:45 p.m.19 views

@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators

Impact: @hulumi/policies versions before 1.3.2 only checked exact AWS IAM StringLike/StringEquals condition operator keys in GOIDC1. Set-qualified operators such as ForAnyValue:StringLike could hide wildcard GitHub Actions OIDC sub conditions from the mandatory guardrail. Patched in 1.3.2: the AW...

5.8AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/21 8:44 p.m.13 views

@hulumi/policies: CIS 1.16 admin policy bypass for inline and attached IAM policies

Impact: @hulumi/policies versions before 1.3.2 did not fully inspect inline and attached IAM policy evidence for the administrator-policy guardrail, so some admin-equivalent policy paths could pass policy evaluation. Patched in 1.3.2: the validator inspects the affected policy shapes and includes...

5.8AI score
Exploits0References2Affected Software1
Total number of security vulnerabilities33227